Webinar: PKI Insights - The Most Common Misconfigurations in Today's PKI
Schedule a Demo
Blog May 21, 2024 Digital Certificates

The Case of the Blank Enrollment Policy

by Jake Grandlienard

The Problem:

Recently we worked with a client having issues with servers being unable to enroll for certificates. Users logged onto the servers could enroll successfully, however both autoenroll and manual enrollment for the servers were unsuccessful.

Troubleshooting the Issue:

The first test was to attempt a manual enrollment via CertLM.msc. We launched CertLM in an Administrative PowerShell window. After right-clicking on the Personal store, All Tasks, Request New Certificate…

Screenshot of CertLM.msc Manually enrolling a certificate
Figure 1 Manually enroll for certificate (CertLM.msc)

After selecting Next on the initial enrollment process, the second window shows the available enrollment policy. Most times, at a minimum the Active directory enrollment policy will be shown.

Screenshot of a comparison of a server not working and working correctly with certificate
Figure 2 Here is a comparison of the server with the issue vs. a server with the normal policy
Person sitting at a laptop while viewing the PKI Spotlight Dashboard.

Expand Your PKI Visibility

Discover why seeing is securing with revolutionary PKI monitoring and alerting.

Learn More About PKI Spotlight®

The Cause:

The issue is the result of a group policy setting that was updated, removing the policy but left enabled. This will result in no policy being available and stopping all enrollments.

Screenshot of GPMC view of policy issue
Figure 3 GPMC view of policy issue

The Resolution:

To resolve the issue permanently, identify the group policy with the incorrect configuration and set the policy to Not Configured. To temporarily validate if the setting is the issue, from regedit look at the value: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography  If you see “Policy Servers” it represents a group policy applying an enrollment policy setting.

Screenshot of registry settings applied on the left and without on the right
Figure 4 Registry setting show policy applied (Left), No policy (Right)

The “PolicyServers” key can be manually removed, which will allow for temporary enrollment for certificates. When group policy is applied at next refresh it will be added back and enrollment will no longer work.

Jake Grandlienard

Jake Grandlienard brings more than 19 years of industry experience as a senior level engineer. Jake is a subject matter expert in PKI, mobile device management software, smart card management software, and Hardware Security Module (HSM) integrations.

View All Posts by Jake Grandlienard


Leave a Reply

Your email address will not be published. Required fields are marked *